• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Bear Bibeault
  • Paul Clapham
  • Jeanne Boyarsky
Sheriffs:
  • Devaka Cooray
  • Junilu Lacar
  • Tim Cooke
Saloon Keepers:
  • Tim Moores
  • Ron McLeod
  • Tim Holloway
  • Claude Moore
  • Stephan van Hulst
Bartenders:
  • Winston Gutkowski
  • Carey Brown
  • Frits Walraven

isapi_redirect.dll - 2 workers in property files - 1 fails when leveraging F5 load balancer  RSS feed

 
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have a vendor app at work and we are using the jakarta isapi_redirect.dll.  If we browse directly to the IIS server both worker1 and worker2 will work, However if we browse to F5 load balanced hostname only worker2 will work. Strangely if I remove worker2 from the property files worker1 will work using the F5 load balancer

Does anyone have any idea what might be causing this behavior  and what I can possibly do to fix it?  I have the isapi logs for every scenario but I haven't yet identified the problem.  When worker1 fails via the F5 I get a 404 and there is no evidence the request ever gets redirected to tomcat.

Thank you,

~metafizik


 
Saloon Keeper
Posts: 20510
115
Android Eclipse IDE Linux
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the JavaRanch, Jeff!

I'm afraid I last worked with IIS in 2001. Maybe someone else here could help.

One thing that I do wonder about is whether you should even be using isapi_redirect if you have an F5 frontend. I think that the F5 is supposed to be able to proxy straight into Tomcat without going through IIS first, as long as you program the right URL routing patterns into it.
 
Jeff Moen
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Tim Holloway wrote:Welcome to the JavaRanch, Jeff!

I'm afraid I last worked with IIS in 2001. Maybe someone else here could help.

One thing that I do wonder about is whether you should even be using isapi_redirect if you have an F5 frontend. I think that the F5 is supposed to be able to proxy straight into Tomcat without going through IIS first, as long as you program the right URL routing patterns into it.




Thank you for the welcome Tim. The F5 and the filter are necessary as there are multiple IIS servers and we are leveraging windows auth so we can't browse directly to the backend tomcat servers.  Well we could eliminate IIS if they turned off SSO in the app but the business wants SSO.
 
Tim Holloway
Saloon Keeper
Posts: 20510
115
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Are you familiar with CAS?

The CAS Tomcat Realm plugin supplies SSO to Tomcat webapps and I'm pretty sure that it integrates that with Windows security.

 
Jeff Moen
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Tim Holloway wrote:Are you familiar with CAS?

The CAS Tomcat Realm plugin supplies SSO to Tomcat webapps and I'm pretty sure that it integrates that with Windows security.



Thanks for that info Tim.  I will look into it or in any case keep it in my back pocket for future reference.  

I think I have found a bug in how the ISAPI filter parses the URL string. If the hostname contains the text of one of the uri's it applies that worker's rule.

For example, the hostname for my app is frontieruat.mydomain.com. I have a /cm and a /frontier worker. The isapi_redirect.dll handles both file when browsing directly to any of the IIS servers (http://uat-iisserver1/cm or http://uat-iisserver/frontier.)  The /frontier uri works fine via the F5 (http://frontieruat.mydomain.com/frontier) but the /cm uri doesn't work via the F5 using that hostname. After looking at the isapi.log it became clear that it was wrongly using the worker rule for /frontier for this request http://frontieruat.mydomain.com/cm. I figured the frontier in the hostname was confusing the isapi filter so I created a CNAME cmuat.mydomain.com on the frontieruat.mydomain.com A record and this worked http://cmuat.mydomain.com/cm.

I can only assume the isapi_redirect.dll has a parsing bug. I think they can configur an F5 iRule to send the IP address of VIP to IIS instead of the hostname frontieruat. I think I'd rather use that solution instead of the CNAME (which has not been tested other than I can get in the app using it.)

Thank you very much,

~metafizik
 
Jeff Moen
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Tim Holloway wrote:Are you familiar with CAS?

The CAS Tomcat Realm plugin supplies SSO to Tomcat webapps and I'm pretty sure that it integrates that with Windows security.


No I haven't use that before and I could configure Tomcat for kerberos but the vendor says we have to use IIS and ISAPI. It's a losing battle to dispute a vendor's recommendation unless like has happened a few times in the past we tell the powers that be the vendor is doing it wrong and after 3 months of 12 hour days trying it the vendor's way the app still doesn't perform up to expectations they will finally let us do it the right way.
 
Tim Holloway
Saloon Keeper
Posts: 20510
115
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ah yes, the old "Dogbert the over-priced consultant is All-Wise and the in-house peasants know nothing." And Dogbert probably proudly touts years of Windows experience while likely knowing nothing about Java, Linux/MacOS, or for that matter, the F5.

My condolences.
 
brevity is the soul of wit - shakepeare. Tiny ad:
Become a Java guru with IntelliJ IDEA
https://www.jetbrains.com/idea/
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!